12-Year-Old Windows Defender Bug Gives Hackers Admin Rights

Microsoft has fixed a privilege escalation vulnerability in Microsoft Defender Antivirus (formerly Windows Defender) that could allow attackers to gain admin rights on unpatched Windows systems.

Microsoft Defender Antivirus is the default anti-malware solution on over 1 billion systems running Windows 10 according to Microsoft’s stats.

The elevation of privileges flaw tracked as CVE-2021-24092 impacts Defender versions going back as far as 2009, and it affects client and server releases starting with Windows 7 and up.

Threat actors with basic user privileges can exploit it locally, as part of low complexity attacks that don’t require user interaction.

The vulnerability also impacts other Microsoft security products including but not limited to Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection.

SentinelOne found and reported the vulnerability in November 2020. Microsoft released a patch on Tuesday, together with the other security updates published as part of the February 2021 Patch Tuesday.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

Undetected for more than a decade

The vulnerability was discovered in the BTR.sys driver (also known as the Boot Time Removal Tool) used during the remediation process to delete files and registry entries created by malware on infected systems.

“Prior to the fix, the vulnerability had remained undiscovered for 12 years, probably due to the nature of how this specific mechanism is activated,” according to a SentinelOne report published today and shared with BleepingComputer in advance.

“We assume that this vulnerability remained undiscovered until now because the driver is normally not present on the hard drive but rather dropped and activated when needed (with a random name) and then purged away.”

The last Microsoft Malware Protection Engine version affected by this vulnerability is version 1.1.17700.4. The first version where the bug was addressed is 1.1.17800.5.

Systems patched against this vulnerability should run Microsoft Malware Protection Engine version 1.1.17800.5 or later.

More info on how to check the Malware Protection Engine version on your systems is available here. 

Defender security update installs automatically

Redmond says that the CVE-2021-1647 security update will install automatically on systems running vulnerable Microsoft Defender versions if automatic updates are enabled.

Microsoft Defender automatically updates both the Malware Protection Engine (the component used for scanning, detection, and cleaning) and malware definitions on enterprise and home devices.

Although Microsoft Defender can check for engine and definition updates multiple times per day, customers are advised to manually check for updates if they want to immediately install security updates.

“Of course, while it seems like the vulnerability hasn’t been exploited, bad actors will probably figure out how to leverage it on unpatched systems,” SentinelOne concluded.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

“Additionally, since the vulnerability is present in all Windows Defender versions starting from around 2009, it’s likely that numerous users will fail to apply the patch, leaving them exposed to future attacks.”

Last month, Microsoft fixed another Microsoft Defender Antivirus vulnerability, a zero-day exploited in the wild that allowed remote attackers to execute malicious code on unpatched Windows devices.